As your organization works to strengthen its security surrounding its IT infrastructure to meet the requirements of the NIST 800-171 framework, and in anticipation of securing Cybersecurity Maturity Model Certification (CMMC) Maturity Level 3 compliance, a few issues frequently require attention.
Working to address these challenges will raise your company’s Supplier Performance Risk System (SPRS) score. This can be instrumental in demonstrating your commitment to exceptional cybersecurity hygiene to government entities looking to use your products or services.
We’ve found these issues that require remediation at most companies we have assessed.
Absence of Documentation
With CMMC looming, a lot of companies are examining their policies, procedures, and standard documentation. At CyberSheath, before we get to the remediation process, we assess where an organization is in terms of compliance readiness. Generally what we find is most companies have very little documentation around what they’re doing and how they’re governing their security controls.
Lack of internal resources can make formulating the appropriate documentation a challenge. While we can craft that documentation, the hard part is getting each company to go through their records and align policies and procedures with their unique organizational practices. What we call best practices do not necessarily translate to being applicable to their business. For example, best practice for an activity timeout could be 10 minutes. However for your business, perhaps it makes sense to extend that time period to 30 minutes.
No Multi-factor Authentication (MFA)
We’ve discovered that most companies either have MFA partially applied or not applied at all. Meaning maybe these entities are using Microsoft 365 and have activated MFA for when they’re logging into that environment. That is not sufficient. Part of the requirement is you need to have multifactor turned on even when you are logging on locally. Meaning when you turn on your laptop and type in a password, you should also have to have a second factor to access your laptop. From what we’ve seen in our assessments, this step almost never happens.
The struggle here may be that additional resources and tools need to be procured, which adds another cost. Also, a lot of the remediation we assist clients with circles back to a culture change being a huge challenge.
Perhaps your IT group has one generic, admin user ID with a shared password. While this ID is only assigned to IT, it could be leveraged by multiple people. This practice creates an accountability issue because it becomes difficult to identify exact users. Another example would be a shared computer on the floor of a manufacturing company, used by 10 people. A lot could happen between those 10 users, making it challenging to tell which one of the users performed what tasks or even who executed a potentially malicious act.
In a similar vein, it’s also relatively common for companies to mistakenly or intentionally provision users accounts that grant individual works outside of management with admin access. It’s pretty easy to see how this could go horribly wrong. While many users do not notice or act on this level of access, it does open up the entity to all sorts of security issues.
If your organization would like assistance in determining their current security posture, including assessing whether or not they need to remediate these common issues, give us a call. We will be happy to work with you to identify compliance gaps, craft a plan to address any issues, and help your company improve its SPRS score.